formbook | 592b3020e3d173ec6a83f9c082843097740cc293a786ed1e1e066cfff97dd82f

General

Target

799771ed49526278d6116d80ed800eae_JaffaCakes118.rtf
Size

824KB
MD5

799771ed49526278d6116d80ed800eae
SHA1

c25fe6f2cd4e4bb23df3c70cff9966a4fdf02242
SHA256

592b3020e3d173ec6a83f9c082843097740cc293a786ed1e1e066cfff97dd82f
SHA512

fbef4ffe7fc1b41ffa816cd7a0c88f19bcd0037249a6fb5e87b3bcabef5a61601ad711911057ff804e4320435a45ceb5da0eed74fdf49561ae661b26527521fa
SSDEEP

12288:e+WhWEyIuvEpsdBOHkY2iBL1gda4mEqLLNrTtOpsdfU:eIRITpsdwHkibijqLhrTkpsd8

Score

10^/10

formbook ch36 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch36

Decoy

hookbug.com

useicar.net

plentyofhosting.com

finalmary.win

pacwestcoastalproperties.com

prideharmonyfoundation.com

royaltakeout.com

lephare-shop.com

alphaomeganetworks.com

solistkonsilanlari.com

yj-info.net

badajozbeerlab.com

wwwjsvip9999.com

centraltexasrvpark.net

hosofb789.com

roademissions.com

toscanaristorazione.com

jrmsj.com

sweetsncandy.com

hzcrgg.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2636	2588	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2776	2588	cmd.exe	WINWORD.EXE

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/904-45-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/904-49-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

exe.exeexe.exe

pid process

2044 exe.exe
904 exe.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeexe.exe

pid process

2704 cmd.exe
2704 cmd.exe
2044 exe.exe

pid	process
2044	exe.exe
904	exe.exe

pid	process
2704	cmd.exe
2704	cmd.exe
2044	exe.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

exe.exeexe.execscript.exe

description	pid	process	target process
PID 2044 set thread context of 904	2044	exe.exe	exe.exe
PID 904 set thread context of 1232	904	exe.exe	Explorer.EXE
PID 1720 set thread context of 1232	1720	cscript.exe	Explorer.EXE

Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2148 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2832 taskkill.exe
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXEEQNEDT32.EXE

pid process

2672 EQNEDT32.EXE
2748 EQNEDT32.EXE

pid	process
2148	timeout.exe

pid	process
2832	taskkill.exe

pid	process
2672	EQNEDT32.EXE
2748	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2588 WINWORD.EXE

pid	process
2588	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

exe.execscript.exe

pid	process
904	exe.exe
904	exe.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe
1720	cscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

exe.execscript.exe

pid process

904 exe.exe
904 exe.exe
904 exe.exe
1720 cscript.exe
1720 cscript.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exeexe.execscript.exe

description pid process

Token: SeDebugPrivilege 2832 taskkill.exe
Token: SeDebugPrivilege 904 exe.exe
Token: SeDebugPrivilege 1720 cscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

exe.exe

pid process

2044 exe.exe
2044 exe.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

exe.exe

pid process

2044 exe.exe
2044 exe.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEexe.exe

pid process

2588 WINWORD.EXE
2588 WINWORD.EXE
2044 exe.exe
2588 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	904	exe.exe
Token: SeDebugPrivilege	1720	cscript.exe

pid	process
2044	exe.exe
2044	exe.exe

pid	process
2044	exe.exe
2044	exe.exe

pid	process
2588	WINWORD.EXE
2588	WINWORD.EXE
2044	exe.exe
2588	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.execmd.exeEQNEDT32.EXE

description	pid	process	target process
PID 2588 wrote to memory of 2636	2588	WINWORD.EXE	cmd.exe
PID 2588 wrote to memory of 2636	2588	WINWORD.EXE	cmd.exe
PID 2588 wrote to memory of 2636	2588	WINWORD.EXE	cmd.exe
PID 2588 wrote to memory of 2636	2588	WINWORD.EXE	cmd.exe
PID 2636 wrote to memory of 2704	2636	cmd.exe	cmd.exe
PID 2636 wrote to memory of 2704	2636	cmd.exe	cmd.exe
PID 2636 wrote to memory of 2704	2636	cmd.exe	cmd.exe
PID 2636 wrote to memory of 2704	2636	cmd.exe	cmd.exe
PID 2588 wrote to memory of 2776	2588	WINWORD.EXE	cmd.exe
PID 2588 wrote to memory of 2776	2588	WINWORD.EXE	cmd.exe
PID 2588 wrote to memory of 2776	2588	WINWORD.EXE	cmd.exe
PID 2588 wrote to memory of 2776	2588	WINWORD.EXE	cmd.exe
PID 2704 wrote to memory of 2148	2704	cmd.exe	timeout.exe
PID 2704 wrote to memory of 2148	2704	cmd.exe	timeout.exe
PID 2704 wrote to memory of 2148	2704	cmd.exe	timeout.exe
PID 2704 wrote to memory of 2148	2704	cmd.exe	timeout.exe
PID 2748 wrote to memory of 1252	2748	EQNEDT32.EXE	CmD.exe
PID 2748 wrote to memory of 1252	2748	EQNEDT32.EXE	CmD.exe
PID 2748 wrote to memory of 1252	2748	EQNEDT32.EXE	CmD.exe
PID 2748 wrote to memory of 1252	2748	EQNEDT32.EXE	CmD.exe
PID 2704 wrote to memory of 2044	2704	cmd.exe	exe.exe
PID 2704 wrote to memory of 2044	2704	cmd.exe	exe.exe
PID 2704 wrote to memory of 2044	2704	cmd.exe	exe.exe
PID 2704 wrote to memory of 2044	2704	cmd.exe	exe.exe
PID 2704 wrote to memory of 2832	2704	cmd.exe	taskkill.exe
PID 2704 wrote to memory of 2832	2704	cmd.exe	taskkill.exe
PID 2704 wrote to memory of 2832	2704	cmd.exe	taskkill.exe
PID 2704 wrote to memory of 2832	2704	cmd.exe	taskkill.exe
PID 2704 wrote to memory of 2564	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2564	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2564	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2564	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1668	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1668	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1668	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1668	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 3020	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 3020	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 3020	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 3020	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1684	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1684	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1684	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1684	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2160	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2160	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2160	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2160	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2240	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2240	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2240	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 2240	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1532	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1532	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1532	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1532	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 756	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 756	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 756	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 756	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 1072	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 1072	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 1072	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 1072	2704	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\799771ed49526278d6116d80ed800eae_JaffaCakes118.rtf"
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\timeout.exe
TIMEOUT 1
5⤵
- Delays execution with timeout.exe
PID:2148

C:\Users\Admin\AppData\Local\Temp\exe.exe
C:\Users\Admin\AppData\Local\Temp\ExE.ExE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Users\Admin\AppData\Local\Temp\exe.exe
C:\Users\Admin\AppData\Local\Temp\ExE.ExE
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM winword.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
5⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
5⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
5⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
5⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
5⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
5⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
5⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
5⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
5⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
6⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
5⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
6⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
5⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
6⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
5⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
6⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
5⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
6⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
5⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
6⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
5⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
6⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
5⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
6⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
3⤵
- Process spawned unexpected child process
PID:2776

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:468

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"
3⤵
PID:1516

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\CmD.exe
CmD /C %tmp%\task.bat & UUUUUUUUc
2⤵
PID:1252

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2nd.bat
Filesize
2KB

MD5
042a85703b16f6204b77947e223ca8d8

SHA1
748c78444785ba150c7b59f69d83fbea02d3ac08

SHA256
b2142ce20a5abca30228f0e4c9cf5d37b5e63bc172e0212c0cb36c97dfe65bd4

SHA512
670e5e33cd8180c28e9927e90ff0ed1bb642bda9b59b6c589d444f22b1ee8a64052d43f2fbe224e5ef24bf5d75aa276291fb0ba3d6bd96657926372fc5ae9bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe.exe
Filesize
336KB

MD5
668eb6d8d8cba4d2ba26eeb6901ac0c9

SHA1
a102977cdcc9dd511ecf1353479fedbfd6c4f611

SHA256
afa7ae184febb37001415917d853b9d74c86378912093985a34724db92ee7d51

SHA512
676ca803cc3911a264391d96d5ab578e0c56b7849851b8dc53c2aafd9570225f05ead349bc0f21bd92857d7503c03906e85e8901372dc62cf5e385ee046e18b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct
Filesize
432B

MD5
8decdcaeb92d9f628b6bf95de4c0597a

SHA1
19443ad64921ef01a77619350efcc97cd767a36b

SHA256
e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e

SHA512
d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat
Filesize
149B

MD5
c42b20e49a3b093e2d0c9d6b3051cfc7

SHA1
5fc1f968c7285c8b0c5f25e839e14d77df7e28f3

SHA256
83935da79d6a4dcfd28121b5c0dd01b40e66da125971ac49e65221efb91a65a6

SHA512
01881572adbe471797fd901057fabb1d631fc675dacd33c59876b9bb163deb1b9f8f82ed49c8a19bf69d871abe8e241beba8dcddc84ca4caf13ee4d4be9ac1fe

Download Submit
memory/904-45-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/904-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1232-48-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/1232-54-0x0000000004C20000-0x0000000004CE6000-memory.dmp

Filesize
792KB

Download
memory/1720-51-0x0000000000750000-0x0000000000772000-memory.dmp

Filesize
136KB

Download
memory/2588-0-0x000000002F701000-0x000000002F702000-memory.dmp

Filesize
4KB

Download
memory/2588-2-0x000000007155D000-0x0000000071568000-memory.dmp

Filesize
44KB

Download
memory/2588-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2588-42-0x000000007155D000-0x0000000071568000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads